STIGQter STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020:

Classified Material Destruction - Improper Disposal of Automated Information System (AIS) Hard Drives and Storage Media

DISA Rule

SV-42428r3_rule

Vulnerability Number

V-32111

Group Title

Classified Material Destruction - Improper Disposal of AIS Hard Drives and Storage Media

Rule Version

IS-11.01.02

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

For CLASSIFIED automated information system (AIS) data processing and/or storage equipment such as hard drives and media:

CLASSIFIED automated information system (AIS) data processing/storage devices such as system hard drives and media must be properly sanitized using approved NSA guidelines (purged of all classified data so that recovery using known laboratory attack is not possible) before such equipment or media is disposed of or placed in use (and/or stored) in a lower classification environment or an unclassified environment.

Note 1: Clearing procedures using overwrite software is not sufficient to dispose of classified equipment or media (for instance by release to property disposal, vendors, or placement in trash) or to re-use it in an unclassified or lesser classification environment other than its original classification level. Clearing will only enable the equipment or media to be re-used within the original classified environment.

NOTE 2: NSA guidance for classified equipment can be found in the NSA/CSA Policy Manual 9-12, NSA/CSS Storage Device Declassification Manual. Sanitization and disposal must also be IAW Enclosure 3 and Enclosure 7 of Volume 3 of DoD Manual 5200.01, which provides additional clarifying guidance for the DoD. Some important excerpts from this guidance pertaining to classified equipment and storage media follows:
Classified IT storage media (e.g., hard drives) cannot be declassified by overwriting.
Sanitization (which may destroy the usefulness of the media) or physical destruction is required for disposal.

NOTE 3: The specific methods and procedures for sanitization of classified hard drives or storage media differ depending on sensitivity of data, type of hard drive or storage media (magnetic, solid state, etc…) and ownership of the hard drive or storage media. To ensure DoD information is not inadvertently disclosed to unauthorized individuals, the activity security manager should coordinate with the local Authorizing Official (AO) and/or IT staff to ensure local procedures for disposal of computer hard drives appropriately address removal of U.S. Government data prior to disposal.

Check Contents

For CLASSIFIED automated information system (AIS) data processing and/or storage equipment such as hard drives and media:

Check to ensure data processing or storage devices are properly sanitized (purged of all classified data so that recovery using known laboratory attack is not possible) in accordance with current NSA guidance before such equipment or media is disposed of or placed in use (and/or stored) in a lower classification environment or an unclassified environment.

Note 1: Clearing procedures using overwrite software is not sufficient to dispose of classified equipment or media (for instance by release to property disposal, vendors, or placement in trash) or to re-use it in an unclassified or lesser classification environment other than its original classification level. Clearing will only enable the equipment or media to be re-used within the original classified environment.

NOTE 2: NSA guidance can be found in the NSA/CSA Policy Manual 9-12, NSA/CSS Storage Device Declassification Manual. Be certain to also read and apply specific guidance for the DoD from Enclosure 3 and Enclosure 7 of Volume 3 of DoD Manual 5200.01. Important excerpts from this guidance pertaining to disposal of classified equipment and storage media follow:

Classified IT storage media (e.g., hard drives) cannot be declassified by overwriting.

Sanitization (which may destroy the usefulness of the media) or physical destruction is required for disposal.

NOTE 3: The specific methods and procedures for sanitization of classified hard drives or storage media differ depending on sensitivity of data, type of hard drive or storage media (magnetic, solid state, etc…) and ownership of the hard drive or storage media. To ensure DoD information is not inadvertently disclosed to unauthorized individuals, the activity security manager should coordinate with the local Authorizing Official (AO) and/or IT staff to ensure local procedures for disposal of computer hard drives appropriately address removal of U.S. Government data prior to disposal.

TACTICAL ENVIRONMENT: Applies in all environments whenever classified documents or materials are to be destroyed.

Vulnerability Number

V-32111

Documentable

False

Rule Version

IS-11.01.02

Severity Override Guidance

For CLASSIFIED automated information system (AIS) data processing and/or storage equipment such as hard drives and media:

Check to ensure data processing or storage devices are properly sanitized (purged of all classified data so that recovery using known laboratory attack is not possible) in accordance with current NSA guidance before such equipment or media is disposed of or placed in use (and/or stored) in a lower classification environment or an unclassified environment.

Note 1: Clearing procedures using overwrite software is not sufficient to dispose of classified equipment or media (for instance by release to property disposal, vendors, or placement in trash) or to re-use it in an unclassified or lesser classification environment other than its original classification level. Clearing will only enable the equipment or media to be re-used within the original classified environment.

NOTE 2: NSA guidance can be found in the NSA/CSA Policy Manual 9-12, NSA/CSS Storage Device Declassification Manual. Be certain to also read and apply specific guidance for the DoD from Enclosure 3 and Enclosure 7 of Volume 3 of DoD Manual 5200.01. Important excerpts from this guidance pertaining to disposal of classified equipment and storage media follow:

Classified IT storage media (e.g., hard drives) cannot be declassified by overwriting.

Sanitization (which may destroy the usefulness of the media) or physical destruction is required for disposal.

NOTE 3: The specific methods and procedures for sanitization of classified hard drives or storage media differ depending on sensitivity of data, type of hard drive or storage media (magnetic, solid state, etc…) and ownership of the hard drive or storage media. To ensure DoD information is not inadvertently disclosed to unauthorized individuals, the activity security manager should coordinate with the local Authorizing Official (AO) and/or IT staff to ensure local procedures for disposal of computer hard drives appropriately address removal of U.S. Government data prior to disposal.

TACTICAL ENVIRONMENT: Applies in all environments whenever classified documents or materials are to be destroyed.

Check Content Reference

M

Potential Impact

This rule and associated checks apply to Classified (SIPRNet) hard drives and storage media that contain either volatile or non-volatile memory or both. Volatile memory is generally completely purged/sanitized from a storage device upon removal of power (over a period of time depending on the storage device). The primary concern is with Non-volatile memory, which remains on a storage device permanently unless properly removed by NSA approved methods and/or they are physically destroyed.

Target Key

2506

Comments